How to make access token valid for management API calls?

Using "auth0-js": "8.7.0".

I have an app that is connected to an API with an audience ref. This works fine, using the access_token to authorize API calls.

Now, I need to be able to access the users app_metadata. After some googling I found that this has to be done through the Management API now??!?

I have enabled the API for my apps client, only to receive a “Bad Audience”- message from the Management API.

Why can’t this be done? Shouldn’t I be able to fetch my users metadata?
Help!! :smiley:

(PS: tried the rule custom-claims thing, but no-go)


function (user, context, callback) {
  var namespace = '';
  context.accessToken[namespace + 'app_metadata'] = user.app_metadata;
  context.accessToken[namespace + 'user_metadata'] = user.user_metadata;
  console.log(user); //debugging
  callback(null, user, context);

The recommendation for most cases would be to use the custom claims approach in rules; can you clarify if you tried it and you could not get the info on the token or you tried and although it worked it did not meet your requirements. If it’s the former then update the question with the sample rule code, if the latter then state what requirements could not be met with the custom claims approach.

I have updated my question with my rule-code. The console.log(user) does not show any metadata in the auth0 debugger.

The issue with that particular rule is that the namespace you’re trying to use is restricted; see the warning in the reference documentation for custom claims for up to date information on restrictions, but at the time this was written:, and are Auth0 domains and therefore cannot be used as a namespace identifier.

In addition, even with a valid namespace the claims will only be added if the end-user has metadata associated with it so if you say you are not seeing metadata with the console.log call then you’ll need to check if the specific user really has metadata. Another thing to have in mind is that ideally, you’ll include only the necessary pieces of information contained within metadata instead of including the whole thing.

Aha! Thank you! Spot on. Restricted namespace AND the user did not have any metadata.